Overview

If you suspect that your website has been hacked, the best thing to do is to reinstall any software application (such as WordPress or Joomla). The steps below apply primarily to reinstalling WordPress, since that is the most commonly used (and therefore the most commonly hacked) software, but the general steps hold true for many CMS installs.

How to replace your site with a new copy of WordPress

This following sections describe the steps on how to manually re-install a new copy of WordPress to your hacked site and should be done in order as they appear.

Step one: change your WordPress theme

If possible, log into your WordPress dashboard at ‘example.com/wp-admin’. Once logged in, navigate to ‘Appearance > Themes’ to change your theme to the current default theme.

TwentyFifteen is WordPress's current default theme. Changing your theme now makes the process easier for you later.

Step two: change your passwords

There are a few general notes on passwords you should always follow:

Don't reuse passwords - Most of us use the same password in multiple places. We shouldn't. You should make sure that your passwords are all unique from one another. This way, if one password is compromised, your other logins will remain secure.

Use strong passwords - You can generate them from places like Strong Password Generator. At the very least, your passwords should be 8 characters long and consist of a mix of numbers and letters.

Changing the database user password

Updating your wp-config.php file

When you change the database user’s password, you will also need to edit your wp-config.php file to reflect this new password. There is information on how to edit the wp-config.php file to change the database password at codex.WordPress.org. You can also view the WordPress wp-config article for further details.

If you have multiple users for your database, make sure that you are changing the correct user's password. You can check which database user logs into your database for your WordPress install by looking at the wp-config.php file.

Important:

If there is anything like the following in your file, you have definitely been hacked, and you MUST remove it ASAP.

<?php eval(gzinflate(base64_decode('dVRtb6NGE.....')));?>

Base64 hacks are insidious and leave a backdoor that hackers can use again and again on your site. Delete that section entirely, or better yet, just rebuild the wp-config.php.

Step three: take the hacked code offline

Find your domain's directory (folder) which is most likely a folder with your sites name. If you’re in the correct directory, you’ll see a list of files and directories beginning with "wp-". It’s also possible you installed WordPress in a subdirectory such as /blog.

Rename the directory (folder) where WordPress is installed. If it’s your primary directory, rename it ‘example.com_HACKED’. If it’s in a subdirectory, rename it to ‘example.com/blog_HACKED’.

Important:

When you rename the web directory, your site will immediately be taken offline.

Create a new, empty domain directory with the same directory name as the old one.

Step four: install a new unhacked copy of WordPress

Reinstall WordPress in one of two ways:

Manually

Using the One-Click Installer

Manually reinstalling WordPress

View the following page for details on how to manually reinstall WordPress:

If you did not change the theme to twentyfifteen before beginning, the site may load a blank white page. This is because your database is looking for a theme that is no longer installed.

Since you cannot access the WordPress dashboard at this point, you will need to download a copy of your chosen theme (usually delivered in a ZIP format). You can upload and install the theme from within the WordPress dahsboard. You can also unzip it on your computer, and then log into your FTP account to upload the theme to the themes directory. It’s located in the following folder:

/example.com/wp-content/themes

So, if your theme name is /my_theme, it should look like this:

example.com/wp-content/themes/my_theme/

Once you have your chosen theme installed, you should be able to load your site and see your posts.

Copying your previous uploads

Your uploads (images and other media) are still in the old hacked install's directory. Using FTP, copy the contents from the old folder to the new one. For example:

example.com_HACKED/wp-content/uploads

-to-

example.com/wp-content/uploads

Important:

Please check over the files you are moving and make sure they are all yours. If you move hacked code into your new install, it will infect your new site. The /uploads directory primarily contains media, so the files should end with extensions that indicate what kind of file they are (.jpg for a JPEG image, for example, or .mp3 for a MP3 audio file). BE VERY CAUTIOUS ABOUT FILES ENDING IN .PHP IN THE /uploads DIRECTORY.

Installing your former plugins

The final step is to install the WordPress plugins that you need for your site. Again, it is very important to install brand-new copies of your plugins, rather than copying over the files from the hacked install.

You can install the plugins from your new WordPress dashboard. Only install the plugins you know you need and use. Cutting down on inactive plugins limits a hacker's access to your install and makes WordPress run faster as well.

Step seven: finish successfully

If everything goes well, you now have a brand-new install of WordPress, connected to your old database and with all your uploaded content, your chosen theme, and your chosen plugins.

How to Manually remove/replace content

If you do not want to follow the directions above to completely replace your site, you can still manually remove and replace specific content. But this is not recommended as it’s much easier to miss any infected files.

.htaccess file

Many hackers insert code into the standard WordPress .htaccess file. The best thing to do is to completely remove the old, hacked .htaccess and generate a new one:

Deleting a WordPress install in the DreamHost panel

If you have the old WordPress install at example.com and another site at example.com/othersite/, clicking the Delete all Files button will remove everything including the non-WordPress site at example.com/othersite.

At this point, there should be no remaining items in the directory but files you have uploaded. If there are files still there that you do not recognize, examine them carefully as they may be files placed there by a hacker. If you are certain that you do not want these files, you can delete them.

This command permanently deletes all files and there is no way to retrieve them once the command is run. Make sure you wish to permanently delete all Wordpress files before running this command.

How to manually manage plugins

It’s very important to always keep your plugins up to date, as limits the possiblity of getting hacked.

Updating plugins in the WordPress dashboard

The WordPress dashboard notifies you if there are any updates for your installed plugins. You’ll see this in the left hand column next to ‘Plugins’:

The number of plugins that need to be updated are displayed in a circle next to ‘Plugins’.

You can update each plugin individually by clicking the ‘update now’ link below the plugin.

You can also click the dropdown at the top of the list (next to the word "Plugin" just above the name of your first plugin listed), select ‘Update’ from the ‘Bulk Actions’ dropdown, and then click ‘Apply’ to update all plugins in that list.

Updating plugins via SSH

You can use the WP CLI interface to update plugins via SSH. View the following page for further details and examples:

Rename the plugin folder. For example if the plugin folder is named /myplugin, rename it to /myplugin_OFF. This disables the plugin.

Rename whenever you wish to re-enable it.

To disable all plugins, just rename the entire /plugins directory to /plugins_OFF. If you rename the plugins directory and then try to install new plugins while the name is changed, you will get an error.

If you want to keep the plugin files in /plugins_OFF and install new plugins, create a new and empty plugins directory at the same time that you rename the old one.

How to manually manage your WordPress theme

It’s very important to always keep your themes up to date, as it limits the possiblity of getting hacked.

Updating a theme in the WordPress dashboard

In the left-hand column click ‘Appearance’. A list of all your currently installed themes will show in the main window. Any themes with updates available will show ‘Update Available’ at the top of their box.

Click on the theme’s box to expand it.

On the right, you have the option to update it.

Deleting a theme in the WordPress dashboard

It is best to always remove themes you are not using. You should only keep the theme you actively use since you can always reinstall removed th emes at any time. By removing themes, you keep their files from being used as attack entry points.

In the left-hand column click ‘Appearance’.

A list of themes display:

Click the theme you wish to remove.

On the bottom right, click the ‘Delete’ link to remove the theme.

Deleting a theme via FTP

If you cannot access the dashboard, you can still delete the theme via FTP:

Now that said, you will see it in plugins and (sadly) themes. Are these safe? It's difficult to say since there are thousands of plugins in the WordPress.org database alone. The best thing to do is delete the plugins and reinstall them. Same goes for themes.

Split up your website users

Splitting up your user accounts is also a good idea to isolate your sites. By assigning one domain per user, you ensure that if that user gets hacked, only that site is compromised. Also you make sure that if that site is hacked, it can't infect the others.

DreamHost has One User Per Domain Policy which means each domain can only have one user assigned to it. View the article for further details on how to create a different user on your domain.

One More Scan

Look 'one folder up' for an index.php and wp-config.php file. Sometimes if you install WordPress in subdirectory such as example.com/wp/ you'll run it out of example.com. When that happens, you'll have those two files in the example.com directory, and from time to time they get missed when you clean up.

Look for funny named files: Any file named ljkdhsf92328kjhsdfsdf or mai1.php (that's mai-one, not mail) is probably suspect. Delete them.